Exploitation code for CVE-2022-1388 available: Critical remote code execution vulnerability in F5 Network management tools

A few days ago, the security teams of F5 Networks reported the correction of more than 50 vulnerabilities in various versions of BIG-IP, among which CVE-2022-1388 stands out, a critical flaw that could be exploited to deploy remote code execution (RCE) attacks. This morning the company updated its alert, recommending organizations using its application delivery drivers to upgrade, as the critical flaw is being exploited in the wild.

According to the report, successful exploitation would allow unauthenticated threat actors with network access to the BIG-IP system to execute arbitrary commands, making it a critical security risk for organizations using these deployments.

The company announced the release of the corresponding security patches on May 4, just days before two security firms began developing a pair of proof-of-concept (PoC) exploits. Although these companies did not reveal their code, the PoCs were leaked this weekend.

Although the public disclosure of these exploits undoubtedly increases the risk of exploitation, specialist Kevin Beaumont claims to have detected active exploitation attempts even before the PoC leak: “If you configured your F5 implementation as a load balancer and a firewall through your own IP, you are also vulnerable to attack,” he mentioned.

On the other hand, on Monday morning the researcher Germán Fernández reported the detection of a massive exploitation campaign of the vulnerability, with hackers trying to install a webshell that gives them access to the target system in the same way that the installation of a backdoor would.

The reported vulnerability resides in all versions of F5 BIG-IP between v11 and v17. At the time of the report, the company confirmed that BIG-IP 11 and 12 would not receive updates, as they reached the end of their useful life; versions 13.1.5, 14.1.4.6, 15.1.5.1, 16.1. 2.2 and 17.0.0 did receive security patches.

Attempts to exploit vulnerabilities in BIG-IP days after their fix are not unusual. Between 2020 and 2021, multiple cases of vulnerability exploitation were reported just a couple of days after affected products were updated, demonstrating that these computers can be highly sensitive to hacking even after updates are available.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.